# RFC 1918 and others illegal subnet
$CMD deny ip from 0.0.0.0/8 to any
$CMD deny ip from 10.0.0.0/8 to any
$CMD deny ip from 169.254.0.0/16 to any # MS dhcp default address
$CMD deny ip from 172.16.0.0/12 to any
$CMD deny ip from 192.0.2.0/24 to any # reserved for docs
$CMD deny ip from 192.168.0.0/16 to any
$CMD deny ip from 204.152.64.0/23 to any # SUN cluster interconnect
$CMD deny ip from 240.0.0.0/4 to any

# blocking illegal routing
$CMD deny ip from any to any ipoptions rr
$CMD deny ip from any to any ipoptions ts
$CMD deny ip from any to any ipoptions lsrr
$CMD deny ip from any to any ipoptions ssrr

# blocking operating system type sniffing by Nmap
$CMD deny tcp from any to any tcpflags syn,fin
$CMD deny tcp from any to any tcpflags syn,rst

# blocking others miscellaneous attack
$CMD deny tcp from any 0 to any
$CMD deny tcp from any to any 0
$CMD deny udp from any 0 to any
$CMD deny udp from any to any 0

# egress filtering

# no comment
$CMD allow ip from $ME to any keep-state

# no comment
$CMD deny ip from $ME to any

# ingress filtering

# SSH access granted
$CMD allow tcp from any to $ME $PORTA_SSH

# TCP ports for CPANEL
$CMD allow tcp from any to $ME 20
$CMD allow tcp from any to $ME 21
$CMD allow tcp from any to $ME 25
$CMD allow tcp from any to $ME 53
$CMD allow tcp from any to $ME 80
$CMD allow tcp from any to $ME 110
$CMD allow tcp from any to $ME 143
$CMD allow tcp from any to $ME 443
$CMD allow tcp from any to $ME 465
$CMD allow tcp from any to $ME 993
$CMD allow tcp from any to $ME 995
$CMD allow tcp from any to $ME 2082
$CMD allow tcp from any to $ME 2083
$CMD allow tcp from any to $ME 2086
$CMD allow tcp from any to $ME 2087
$CMD allow tcp from any to $ME 2095
$CMD allow tcp from any to $ME 2096
$CMD allow tcp from any to $ME 3306
$CMD allow tcp from any to $ME 6666

# UDP ports for CPANEL
$CMD allow udp from any to $ME 21
$CMD allow udp from any to $ME 53
$CMD allow udp from any to $ME 465
$CMD allow udp from any to $ME 873

# rules for Cpanel license
$CMD allow ip from any to $ME 2089 keep-state
$CMD allow ip from any to $ME 873 keep-state
$CMD allow ip from $ME to any 2089 keep-state
$CMD allow ip from $ME to rdate.cpanel.net keep-state

# rules Cpanel updates
$CMD allow ip from any to layer2.cpanel.net keep-state
$CMD allow ip from any to rsync.cpanel.net keep-state
$CMD allow ip from any to httpupdate.cpanel.net keep-state
$CMD allow ip from any to cpanel.net keep-state
$CMD allow ip from any to layer1.cpanel.net keep-state

# FINAL CLOSE

# the server will reject any other data
$CMD deny log ip from any to any

yes, the new ruleset is active on my server from february with no big trouble. I think this is not a very good ruleset, but is something working. I hope someone can suggest how we can do better (my english is very ridiculous, sorry).

Are these rules any good? can I use'em on my freebsd 6.0 with cpanel 11? thank you guys

Click to expand...

These rules are about 3 years old, most of them look ok but I am sure there are new ports and other things to consider I wouldnt put them into place until you check it out line by line.
We use IPFW on all our freebsd boxes but make up the rules as we go along.